BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
•
0 likes•245 views
Elvis Collado This talk is about how an unauthenticated heap-based buffer overflow vulnerability was discovered and exploited within a router distributed by a market-leading ISP. Despite the targeted process utilizing mitigations such as DEP and ASLR, it still fell prey to known exploitation techniques. This talk will go over the thought process, failures, and road-blocks that were encountered and how they were overcame.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
Similar to BlueHat Seattle 2019 || Don't forget to SUBSCRIBE. (20)
More from BlueHat Security Conference
More from BlueHat Security Conference (20)
Recently uploaded
Recently uploaded (20)
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
- 3. Exodus Intelligence Don’t forget tolike and ^
- 4. Exodus Intelligence GreenWave FiOS-G1100 FCCID: 2ABTEG1100
- 9. Exodus Intelligence GreenWave FiOS-G1100 TDO TCK TMS TDI SRST TRST GND
- 11. Exodus Intelligence GreenWave FiOS-G1100 GND RX TX +3.3
- 12. Exodus Intelligence GreenWave FiOS-G1100 GND RX TX +3.3
- 29. Exodus Intelligence wps_monitor Not Impacted by ASLRNULL Byte(s)
- 31. Exodus Intelligence GreenWave FiOS-G1100 vuln hunting
- 32. Exodus Intelligence Search: %s Vuln Hunting
- 35. Exodus Intelligence Vuln Hunting some sort of stuct (e.g. thing->buf)
- 43. Exodus Intelligence Vuln Hunting +0x20c0 – something +0x20c4 – something +0x20c8 – char vuln[4096] +0x30c8 – char foo1[56]? +0x3100 – short? +0x3102 – char foo2[x]
- 44. Exodus Intelligence Vuln Hunting Source: https://github.com/Olipro/VMG1312- B10A/blob/9ae84bc248340f0cb3fb349afffd95a9939a0f02/bcmdrivers/broadcom /net/wl_4.12L08/impl14/router/bcmupnp/include/upnp_type.h
- 50. Exodus Intelligence Vuln Hunting Source: http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf
- 53. Exodus Intelligence Vuln Hunting Obtain PC Control Can’t use wps_monitor as a gadget (‘x00’) ASLR on imported libraries
- 57. Exodus Intelligence Exploit Dev Spray the heap Do some magic Trigger overflow and get code exec?
- 59. Exodus Intelligence Exploit Dev 100 * 1024 * 1024 = 0x06400000
- 60. Exodus Intelligence Exploit Dev ⚫ Heap base address always loads below 0x03030303
- 68. Exodus Intelligence Exploit Dev Heap 0x00 0xXXXXXXXX 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB
- 70. Exodus Intelligence Exploit Dev Grow the heap Do some magic
- 71. Exodus Intelligence Exploit Dev http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf
- 80. Exodus Intelligence Exploit Dev Spray the heap Do some magic
- 81. Exodus Intelligence Exploit Dev (road-blocks)
- 82. Exodus Intelligence Exploit Dev (road-blocks)
- 83. Exodus Intelligence Exploit Dev (road-blocks) Remember: You can’t build a house without a roof
- 84. Exodus Intelligence Exploit Dev (road-blocks) Heap 0x00 0xXXXXXXXX 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB4KB 4KB4KB4KB4KB4KB4KB4KB4KB 4KB
- 85. Exodus Intelligence Exploit Dev (road-blocks) Heap 0x00 4KB 0xXXXXXXXX 4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB
- 86. Exodus Intelligence Exploit Dev (road-blocks) Heap 0x00 4KB 0xXXXXXXXX 4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB
- 87. Exodus Intelligence Exploit Dev (road-blocks) Heap 0x00 0xXXXXXXXX 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB4KB 4KB4KB4KB4KB4KB4KB4KB4KB
- 88. Exodus Intelligence Exploit Dev (road-blocks)
- 89. Exodus Intelligence Exploit Dev (road-blocks)
- 90. Exodus Intelligence Exploit Dev (road-blocks)
- 91. Exodus Intelligence Exploit Dev (road-blocks)
- 92. Exodus Intelligence Exploit Dev (road-blocks)
- 93. Exodus Intelligence Exploit Dev (road-blocks) Heap 0x00 0xXXXXXXXX 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB4KB 4KB4KB4KB4KB4KB
- 94. Exodus Intelligence Exploit Dev Spray the heap Do some magic Dev exploit chain
- 100. Exodus Intelligence Exploit Dev ⚫ Gadget 1 ⚫ Grants the ability to call a function with 2 arguments ⚫ Gadget 2 ⚫ Cheap stack pivot + control of R4-R7 ⚫ Gadget 3 ⚫ Move the value of R7 [IAT table ptr to strtoul()-4] into R0 ⚫ Control of R3-R7 ⚫ Gadget 4 ⚫ Deref R0+4 into R0. [R0 is now in libc] ⚫ Control of R3-R7
- 101. Exodus Intelligence Exploit Dev ⚫ Gadget 5 ⚫ Add R3 and R0 and store the result in R0 ⚫ R0 now points to popen() ⚫ Control of R4 ⚫ Gadget 6 ⚫ Store the value of R0 into the heap ⚫ Gadget 7 (aka 1 again) ⚫ Pick up the stored popen() value and call it. ⚫ First arg = cmd to execute ⚫ Second arg = “r”
- 102. Exodus Intelligence Exploit Dev Gadget 1 addr: 0x000150F6+1
- 105. Exodus Intelligence Exploit Dev (road-block)
- 106. Exodus Intelligence Exploit Dev (road-block) http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0552a/BABCAEDD.html
- 107. Exodus Intelligence Exploit Dev (road-block)
- 108. Exodus Intelligence Exploit Dev Gadget 2 addr: 0x0001030C+1
- 109. Exodus Intelligence Exploit Dev Gadget 3 addr: 0x0001C30E+1
- 110. Exodus Intelligence Exploit Dev Gadget 4 addr: 0x0001C2D2+1
- 111. Exodus Intelligence Exploit Dev Gadget 5 addr: 0x00014D62+1
- 112. Exodus Intelligence Exploit Dev Gadget 6 addr: 0x000257EA+1
- 113. Exodus Intelligence Exploit Dev Gadget 7 (1) addr: 0x000150F6+1
- 114. Exodus Intelligence Exploit Dev ⚫ Putting it all together ⚫ Spray the heap ⚫ Save the SIDs ⚫ Do not free() the last SID that was saved (roof) ⚫ Free and Replace blocks via UNSUBSCRIBE and SOAP. [b64(Fake struct + ROPChain + Command)] ⚫ Free 5, Re-occupy 5, Free them again, next 5. ⚫ Watch for multicast traffic and if there’s traffic, occupy 25, free 25, ret. ⚫ Trigger Vulnerability ⚫ Win?
- 123. Exodus Intelligence $whoami ⚫ @b1ack0wl ⚫ 0day Researcher for Exodus Intelligence ⚫ Focus on embedded devices ⚫ SOHO + Enterprise network devices ⚫ Smart devices ⚫ ...etc